Client-side encryption vs. point-to-point encryption vs. TLS

Client-side encryption protects a message the moment someone composes it, and it ensures that only the sender and recipient can decrypt the message to view the plain-text content.

Point-to-point encryption, or transport level security (TLS), provides an encrypted pipe through which messages can be transmitted. Unlike client-side encryption, TLS does not encrypt the actual message at rest. Instead, it ensures that unencrypted content is secure when travelling between mail servers. As a result, mail providers typically have access to the unencrypted messages that reach them throughout this process.

In order for TLS to work, both the sender and recipient’s email system must have TLS enabled. If the recipient’s server does not support TLS, the communication will not be allowed. This means the email will not reach its intended recipient.

Given these circumstances, and the fact that some on-premise email platforms do not support TLS, client-side encryption is the only way to ensure that content will be secure no matter where it travels.